Skip to content

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Low severity GitHub Reviewed Published May 14, 2024 to the GitHub Advisory Database • Updated May 16, 2024
Withdrawn This advisory was withdrawn on May 16, 2024

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.16.5

Patched versions

1.16.5

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to
2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only
in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released
    and this GHSA made public

References

Published to the GitHub Advisory Database May 14, 2024
Reviewed May 14, 2024
Withdrawn May 16, 2024
Last updated May 16, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-r3w4-36x6-7r99
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.